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About  the  Speakers 


Greg  Porter  is  an  Adjunct  Professor  at  Heinz  College  at  Carnegie  Mellon 
University  where  he  teaches  information  security  and  privacy  related 
subject  matter  within  the  college's  expanding  graduate  level  health  care 
programs.  Greg  is  also  the  founder  of  Allegheny  Digital,  a  Western 
Pennsylvania  based  security  and  privacy  services  company  specializing  in 
Network  Infrastructure  Security,  Digital  Forensics,  Regulatory  Compliance, 
and  Enterprise  Risk  Management. 

Prior  to  starting  Allegheny  Digital,  Greg  led  the  Mid  Atlantic  Information 
Protection  &  Business  Resiliency  Practice  for  KPMG,  LLP,  where  he 
assumed  various  responsibilities  ranging  from  Technical  Lead  to  Project 
Manager.  Greg  maintains  several  information  security  related  certifications 
and  is  a  Certified  Information  Systems  Security  Professional  (CISSP)  and 
a  Certified  Information  Security  Manager  (CISM).  He  also  serves  as  a 
Visiting  Scientist  at  SEI-CERT. 


Randy  Trzeciak  is  currently  a  senior  member  of  the  technical  staff  at  CERT.  He  leads  the 
insider  threat  team,  which  focuses  on  insider  threat  research;  threat  analysis  and  modeling; 
assessments;  and  training.  Randy  has  more  than  20  years  of  experience  in  software 
engineering;  database  design,  development,  and  maintenance;  project  management;  and 
information  security.  He  also  is  an  adjunct  professor  at  Carnegie  Mellon’s  Heinz  College, 
School  of  Information  Systems  and  Management.  Randy  holds  an  MS  in  Management 
from  the  University  of  Maryland,  a  BS  in  Management  Information  Systems,  and  a  BA  in 
Business  Administration  from  Geneva  College. 
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Polling  Question 


#1  How  did  you  hear  about  this  webinar? 

1.  Social  Media  site  (Linkedln,  Twitter) 

2.  Email  invitation  from  the  SEI 

3.  SEI  Website 

4.  Website  with  webinar  calendar  i.e.  www.webinar-directorv.com 

5.  Other 
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Agenda 


•  Introduction 

•  Current  State 

•  Threat  Landscape 

•  Defensive  Strategies 

•  Conclusion 


Greg  Porter 
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This  Presentation 


•  Based  on  technical  and  non-technical  health  care  security  assessment 
observations 

•  Experience  with  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA) 
and  the  Health  Information  Technology  for  Economic  and  Clinical  Health  Act 
(HITECH) 

•  Trying  to  get  a  feel  for  health  care  security  trends,  as  well  as  general  infosec 
developments,  observed  during  this  time 

•  This  presentation  is  directly  affected  by  regulatory  changes... new  and  old 

•  Intent  is  to  simply  provide  an  overview  and  perhaps  provide  some  important 
considerations  for  organizations,  health  care  based  and  otherwise 
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Agenda 

•  Introduction 

•  Current  State 

•  Threat  Landscape 

•  Defensive  Strategies 

•  Conclusion 


(CEOT 
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Current  State 


•  Where  are  we  today? 

•  1 4  years  after  the  passage  of  H I P AA 

•  Over  5  years  since  Covered  Entities  had  to  be  compliant  with  the  HIPAA  Security 
Rule 

•  The  HITECH  Act  and  Business  Associate  compliance  demands 

•  A  year  since  the  breach  notification  requirements  (IFR) 

•  Meaningful  use  &  electronic  health  records  (EHR) 

•  Yet... we  continue  to  see  health  care  organizations  struggle  with  the  governance 
and  security  of  electronic  protected  health  information  (ePHI) 
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Regulatory  Demands 


•  Regulations  driving  industry  compliance 

—  HIPAA  Security 

—  HIPAA  Privacy 

—  HITECH  Act 

—  Payment  Card  Industry  Data  Security  Standards  (PCI-DSS) 

—  Genetic  Information  Non-discrimination  Act  (GINA) 

—  FTC  Red  Flags  Rule? 

—  State  Regulations  &  Breach  Notification  Requirements 

•  Regulatory  compliance  merely  sets  the  floor,  be  mindful  of  the  "set  it  and 
forget  it"  mindset 
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Beyond  ePHI 


•  HIPAA  Security,  that’s  new  right? 

•  Breach  notification  concerns  awakening  Accountability  Act  components  of  HIPAA 
Security 

•  Prior  to  2008,  HIPAA  Security  enforcement  was  scant,  but  that’s  dramatically 
changing 

•  Data  is  the  new  currency 
-HIPAA  Privacy -PHI 

—  HIPAA  Security  -  ePHI 

—  Unsecured  PHI  -  HITECH  Act 

—  Cardholder  Data  -  PCI  DSS 

—  Personal  Data  -  State  Regulations 

•  The  protection  of  ePHI  is  a  challenge  in  even  the  most  well  managed 
environments,  but  why? 
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The  Unbounded  Health  Care 
Enterprise 
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Agenda 

•  Introduction 

•  Current  State 

•  Threat  Landscape 

•  Defensive  Strategies 

•  Conclusion 


(CEOT 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 


12 


Threat  Landscape 


External  attacks 

—  Virginia  Health  Professions  Database 

—  8  million  patient  records  compromised,  $10  million  extortion 

Insider  Threats 

—  Security  guard  charged  with  hacking  hospital  systems 

—  Planned  massive  July  4,  DDoS  attack 

—  Janitor,  Northwestern  Memorial  Hospital 

Physical  Security 

—  CVS  &  Rite  Aid  disposal  practices 

—  Throwing  away  confidential  medical  information  into 
unsecured  dumpsters 

—  HIPAA  violation,  fined  $2.25  million 

Regulatory  Enforcement 

—  Insurer  Health  Net  will  pay  $250,000  in  damages 

and  offer  stronger  consumer  protections 

—  Connecticut  Attorney  General  Richard  Blumenthal 


attempt 


Wl#1  tacking  hospitaj 


(CEOT 
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Breach 


•  Data  anywhere  +  data  everywhere 

•  Over  110  breaches  affecting  more  than  4.1  M  individuals  and 

health  records  have  occurred  since  the  HIPAA  Breach 

Notification  Rule  took  effect  on  September  23,  20091 

—  Ponemon  Institute2  -  average  cost  per  compromised  record  is  $144 — $204  of  indirect 
costs  and  $60  of  direct  costs 

—  To  date,  the  theft  of  laptops  is  the  primary  cause  of  a  breach  of  ePHI,  followed  by  the 
theft  of  desktop  computers  and  theft  of  removable  media 

—  Hacking  incidents  have  also  led  to  breaches 

•  U.S.  Department  of  Health  and  Human  Services,  Breaches 

Affecting  500  or  More  Individuals 

—  http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreach 
es.html 

1 .  Hourihan,  Chris,  “An  Analysis  of  Breaches  Affecting  500  or  More  Individuals  in  Healthcare”,  HITRUST,  August  2010. 

2.  “2009  Annual  Study:  Cost  of  a  Data  Breach,”  Ponemon  Institute  LLC,  January  2010. 
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Motivation 


•  Organized  crime 

—  While  a  hacker  might  get  40  cents  for  a  stolen  credit  card  number,  a  stolen 
medical  identity  could  fetch  a  premium  of  $14  to  $18 

•  Medical  identity  theft 

—  Patient  pretends  to  be  someone  else  so  they  won't  have  to  pay  for  their  own 
medical  bills 

—  Organized  thieves  working  as  receptionists,  janitors,  and  accountants  within 
the  health  care  field  itself 

•  Health  care  entities  have  valuable  assets 

—  Like  electronic  medical  records  on  most  of  us 

—  Information  rich  environments,  not  just  ePHI  and  Pll,  also  financial  data,  R&D 
information,  academic  studies, 

—  Equipment  (e.g.  laptops,  PDA’s,  mobile  phones,  robots) 
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Health  Care  Targeting 


•  Hacker  Attacks  Targeting  Health  Care  Organizations  Doubled  in  the  4th  Quarter 
of  2009 

—  SecureWorks  Data 

•  Attempted  attacks  increased  from  an  average  of  6,500  per  health  care  client  per 
day  in  the  first  nine  months  of  2009  to  an  average  of  13,400  per  client  per  day  in 
the  last  three  months  of  2009 

•  Attempted  attacks  against  other  types  of  organizations,  protected  by 
SecureWorks,  did  not  increase  in  the  fourth  quarter 

•  Possible  correlation? 
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Impact 


•  Breach  of  ePH I 

•  Damage  to  reputation 

•  Regulatory  consequence  and  financial  penalties 

•  Jail  time,  criminal  penalties  for  willful  neglect 

•  Loss  of  human  life  ? 

—  While  many  concerns  focus  on  a  data  breach,  some  vulnerabilities  can  be 
more  severe 

—  Pacemakers  and  implantable  cardiac  defibrillators  susceptible  to  RF 
manipulation  and  attack1 

—  Consider  the  implications  of  previously  mentioned  DDoS  attack  and 
availability  of  WiFi  equipped  IV  infusion  pumps 


1.  Feder,  Barnaby,  “A  Heart  Device  Is  Found  Vulnerable  to  Hacker  Attacks” ,  New  York  Times,  March,  2008,  http://www.futurecrimes.com/biological-human-genome- 
crime/hacking-the-human-heart-medical-devices-found-subject-to-technical-attack/ 
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Polling  Questions 


#  2  Has  your  organization  conducted  a  HIPAA  security  assessment  within  the  past 

18  months?  YES /NO 

#  3  Does  management  have  a  definitive  understanding  of  where,  exactly,  electronic 

protected  health  information  is  located  within  the  organization?  YES  /  NO 
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Social  Networks 


•  Consider  the  benefits... and  the  risks! 

—  Social  networks  foster  collaboration  and  cohesion 

—  Also  one  of  the  leading  sources  of  malware  infection 

•  More  and  more,  provider  and  payer  reputations  are  available  on  line,  including  patient  / 
customer  opinions  and  ratings 

•  Henry  Ford  Hospital  “tweets”  live  procedure  during  kidney  surgery1 

•  Raise  awareness,  assist  patients,  text4baby  program 

•  http://www.text4baby.org 

•  Communicate  during  crisis  events 

—  November,  2009  Fort  Hood  shooting  attack 

—  Scott  &  White  Healthcare  -  one  of  the  hospitals  that  treated  Fort  Hood  victims,  used 
Twitter  to  provide  up-to-the-minute  news 


Organize  personnel  during  natural  disasters,  TN  and  IA 


1 .  http://www.cnn.eom/2009/TECH/02/1 7/twitter.surgery/index.html 
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Social  Network  Risks 


•  Major  source  for  malware  infections 

•  Consider  user  behaviors 

—  Tri-City  Medical  Center  in  Oceanside,  CA 

—  Summer,  2010 

—  5  employees  fired  for  posting  patient  information  online  Facebook 

•  Chicago,  IL 

—  Native  American,  Christopher  Cornstalk 

—  Battled  alcoholism 

—  RN  started  a  page,  "Did  you  Know  this  Alcoholic  Indian?" 

—  Shared  unflattering  photos  of  the  patient,  posted  comments 

—  Over  600  people  joined,  including  RN’s,  EMT's,  Firefighters,  and  Police  Officers 

•  Establish  a  social  media  policy,  then  monitor  and  enforce  it 

Set  penalties  for  violating  policy.  For  example,  an  intentional  act  of  misusing  or  breaching 
patient  information  results  in  immediate  dismissal 
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Cloud  Computing 


•  “Cloud”  offers  rapid  scalability  and  provisioning,  but  what  it’s  missing  is  quite 
important: 

—  Cloud  computing  lacks  standards  about  data  handling  and  security 
practices 

—  No  agreement  about  whether  a  vendor  has  an  obligation  to  tell  users  if  their 
data  is  in  the  U.S.  or  not 

—  Users  and  vendors  are  only  beginning  to  try  to  sort  out  those  issues  through 
industry  associations,  such  as  the  year-old  Cloud  Security  Alliance 

•  Prior  to  reaching  any  agreement  with  a  cloud  provider,  carefully  review  service 
level  agreements  and  conduct  thorough  security  reviews  prior  to  finalizing 
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Emerging  Threats 


•  Today’s  malware 

—  Very  sophisticated,  targeted,  and  designed  to  infect,  conceal  access,  pilfer 
data  and  modify  information  without  detection 

•  Client-side  attacks,  attacker  targets  an  employee’s  PC 

—  Why?  Compromise  client  device  to  gain  network  foothold  and  purview  of 
whatever  may  be  connected... such  as  data  and  other  systems! 

—  Workforce  members  PC  may  directly  communicate  with  back-end  systems 
containing  sensitive  data  such  as  ePHI,  Pll,  and  CCD 

—  Visibility  -  Provides  attacker  with  a  foothold  to  exploit  other  internal  systems 

•  Exploited  via  application  vulnerabilities 

•  Vulnerabilities  that  exist  in  widely  deployed  and  commonly  used  programs  such 

as  IE,  FireFox,  Safari,  Adobe  Acrobat,  MS  Word,  Excel,  etc. 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 


22 


Malware  -  Client  Side  Exploitation 


•  Adobe  PDF  (Portable  Document  Format) 

•  Sometimes  referred  to  as  Problematic  Document  Format 

•  Highly  useful,  highly  exploitable  software 

•  Offers  a  well  leveraged  vehicle  for  client  side  attacks  and  inevitably 
compromising  health  care  targets 

•  Why?  Well  attacker  can  all  embed  music,  movies,  3D  artwork  complete  with 
JavaScript,  submit-form  action  (submit  the  data  you  input  directly  to  a  server 
somewhere  on  the  Internet) 

•  Executable  Files  PDF3^*oos 
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Malware  Delivery 


•  How  about  e-mail? 

•  But  our  anti-virus  software  will  catch  that  right? 

—  Maybe  not... good  if  you  have  a  known  signature  in  your  AV  database 

—  Attackers  often  utilize  publicly  available,  high  quality  tools  such  as  the 
Metasploit  framework  to  pack  malicious  code,  scrambling  the  executable 
file  in  an  effort  to  evade  detection 

•  Can  utilize  Metasploit  to  create  a  reverse  HTTP  executable  shell  file 

•  May  run  over  SSL  to  aid  evasion 
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Malware  -  Detection 


•  Can  use  a  service  such  as  VirusTotal  prior  to  sending  a  malicious  file 

•  Will  attempt  to  identify  viruses,  worms,  trojans  and  other  kinds  of  malicious 
content  detected  by  antivirus  engines  and  web  analysis  toolbars  across  40 
different  AV  vendors 

•  Chances  are,  the  target  is  running  one  of  them 

•  So,  if  the  payload  is  not  detected  by  any  of  the  vendors,  may  have  increased 
the  likelihood  that  a  given  user  will  execute  the  file 


39  (10.26%) 
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Malware  -  Client  Side  Delivery 


•  Malicious  PDF  files  e-mailed  to  US  defense  contractors 

—  The  document  talks  about  a  real  conference  held  in  Las  Vegas  in  March,  201 01 

—  When  opened  to  Adobe  Reader,  the  file  exploited  the  CVE-2009-4324  vulnerability 

—  A  backdoor  connected  to  IP  address  140.136.148.42.  In  order  to  avoid  detection,  it 
bypasses  the  local  web  proxy  when  doing  this  connection 

—  Anybody  who  controls  that  IP  will  gain  access  to  the  infected  computer  and  the 
company  network.  This  particular  IP  is  located  in  Taiwan 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 


26 


More  Vulnerabilities 


•  Non-secure  web  applications 

—  Resulting  in  web  based  exploitation  via  cross  site  scripting  (XSS),  SQL  injection,  etc. 

•  Misconfigured  systems 

Internet  facing  (external)  infrastructure,  web/DMZ  servers,  switches,  routers,  terminal  services, 
modems  (yes,  modems),  etc 

—  Internal  systems,  workstations,  mobile  devices 

—  Wireless  infrastructure  (AP’s,  Bluetooth] 

—  Default  passwords! 

•  Sensitive  information  is  everywhere  &  its  location  often  not  well  understood 

—  Exists  in  structured  areas  such  as  databases,  but  also  unstructured  areas  such  as  text  files, 
Word/Excel,  etc. 

—  Unbounded  networks  &  mobility 

—  Vendors  and  business  associates,  how  is  data  flow  determined... definitively? 

•  Poor  patch  management 

—  Both  at  the  OS  and  application  level 
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The  Challenge 


•  Corporate  information  systems  and  data  are  under  assault  like  never  before 

•  Asymmetric  issue,  many  :one 

—  Health  care  entities  must  identify  and  then  defend  against  (many)  potential 
attack  vectors  within  their  environment,  and  then  vigilantly  monitor 

—  Attackers  only  need  to  find  a  single  weakness  to  exploit 

•  Automated  attack  tools  and  packaged  exploits  make  this  challenge  all  the 
more  difficult  to  defend  against 

•  Botnets,  autonomous  exploit  kits,  significantly  reduces  technical  expertise 
needed... so  easy  a  caveman  could  do  it? 

•  Metasploit  and  other  well  developed,  proven  tools  are  free 
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HIPAA  Security  Drivers 


•  Use  compliance  drivers  to  your  advantage 

•  As  required  by  HIPAA’s  Administrative  Safeguard  Standard 

—  §1 64.308(a)(8),  Evaluation 

—  Perform  a  periodic  technical  and  nontechnical  evaluation  that  establishes  the 
extent  to  which  a  given  CE’s  policies  and  procedures  meet  the  intent  of  the 
HIPAA  Security  provisions 

•  Work  with  General  Counsel  to  ensure  that  your  current  HIPAA  Security  posture  is 
compliant  with  legislative  intent 

•  Conduct  an  accurate  and  thorough  risk  assessment  to  identify,  define,  and 
prioritize  risks  to  ePHI,  should  also  encompass  ePHI  brokered  to  business 
associates 
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Defensive  Considerations 


•  Integrate  and/or  align  Breach  Procedures  with  your  Incident  Response 
Plan,  you  do  have  one  right ?  Then  test  it 

•  Consider  formalized  training  on  incident  handling,  including: 

—  How  to  develop  and  manage  a  CSIRT 

—  How  to  customize  your  CSIRT  to  meet  the  unique  demands  of  the  health 
care  industry 

•  Restrict  &  monitor  privileged  users 

•  Baseline  network  traffic,  what’s  normal? 

—  Filter  and  monitor  outgoing  traffic 

—  Lock  down  outbound  ports  and  services  based  on  business  justification 

—  Do  all  users  need  access  to  Telnet,  FTP,  TFTP,  SSH,  RDP,  etc., 

•  If  reasonable  and  appropriate,  conduct  penetration  testing  and 
vulnerability  assessments  (internal  and  external)  against  information 
assets  storing  or  processing  ePHI 
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Defensive  Considerations 


•  Conduct  an  accurate  and  thorough  risk  assessment  to  identify,  define,  and 
prioritize  risks  to  ePHI 

•  How  do  I  perform  a  risk  assessment? 

-  NIST  800-30 

-  SEI-CERT,  OCTAVE 

•  Develop  a  thorough  Monitoring  process,  including  log  collection  and  analysis 

•  Utilize  biometrics  to  harden  authentication  processes,  inhibiting  the  ability  of 
password  information  being  compromised 

•  Patch  your  systems  &  don’t  run  as  ADMINISTRATOR  (or  Root)  on  your  local 
workstation 

•  Realize  you  likely  have  users  doing  this  every  day... do  you  know  who  they 
are? 

•  Review  service  level  agreements  and  contracts,  ensure  a  “Right  to  Audit” 
clause  is  included 

•  Audit! 
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Governance  Models 


•  Consider  a  business  process  oriented  approach  to  information  security 

—  Frameworks  such  as  the  CERT  Resilience  Management  Model  (CERT-RMM) 

—  Understand  resilience  across  the  organizations  people,  information, 
technology,  and  facilities 

—  www.cert.org/resilience 

•  Check  out  the  Health  Information  Trust  Alliance  (HITRUST) 

—  Excellent  source  for  health  care  related  security  controls 

—  Based  off  of  the  ISO  27000  family  of  standards 

—  www.hitrustalliance.net 


•  Education 

—  Emphasize  the  lack  of  anonymity  in  your  environment 
—  Your  activities  can  and  may  be  monitored 
—  Use  real-world  attacks  and  scams  as  examples 
—  Encourage  paranoia 

-  Consider  how  your  data  is  managed  from  entrance  to  exit 
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Polling  Questions 


#  4  Does  your  organization  have  an  incident  response  plan?  YES  /  NO 

#  5  Does  your  incident  response  process  account  for  the  HITECH  Acts 

Breach  Notification  requirements?  YES  /  NO 


(ceot 
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Agenda 

•  Introduction 

•  Current  State 

•  Threat  Landscape 

•  Defensive  Strategies 

•  Conclusion 


(ceot 
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Conclusion 


•  Health  care  organizations  process  and  exchange  highly  sensitive  patient 
information  daily,  leading  to  the  potential  for  increased  risk  and  exposure 

•  IP,  Pll,  and  ePHI  is  highly  valued  by  the  cyber  criminal  underground  and 
will  continue  to  be  targeted 

•  It  is  the  responsibility  of  assigned  organizational  management  to  take 
reasonable  and  appropriate  measures  to  safeguard  sensitive  information 
in  line  with  regulatory  demands  and  consumer  expectations 

•  Potential  threats  and  risks  to  information  should  be  accounted  for  prior  to 
information  security  controls  are  developed,  assessed,  implemented,  and 
monitored 

•  Strongly  consider  the  people,  information,  technology  and  facilities  that 
sustain  critical  operations  and  protect  them  commensurate  to  operational 
value  and  regulatory  expectations,  such  as  HIPAA/HITECH 


(ceot 
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Insider  Threat  Agenda 


Introduction 

How  bad  is  the  insider  threat? 

Exploration  of  each  type  of  insider  crime: 

•  IT  sabotage 

•  Theft  of  Intellectual  Property 

•  Fraud 

Best  Practice  for  Prevention  and  Detection 
Discussion 


Randy  Trzeciak 
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Introduction 


(CEOT 
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Who  is  a  Malicious  Insider? 


Current  or  former  employee,  contractor,  or  other 
business  partner  who 

■  has  or  had  authorized  access  to  an  organization’s  network, 
system  or  data  and 

■  intentionally  exceeded  or  misused  that  access  in  a  manner  that 

■  negatively  affected  the  confidentiality,  integrity,  or  availability  of 
the  organization’s  information  or  information  systems. 


Types  of  Insider  Crimes 


Insider  IT  sabotage 

An  insider’s  use  of  IT  to  direct  specific  harm  at  an  organization  or  an 
individual. 

Insider  theft  of  intellectual  property  (IP) 

An  insider’s  use  of  IT  to  steal  intellectual  property  from  the  organization.  This 
category  includes  industrial  espionage  involving  insiders. 

Insider  fraud 

An  insider’s  use  of  IT  for  the  unauthorized  modification,  addition,  or  deletion 
of  an  organization's  data  (not  programs  or  systems)  for  personal  gain,  or 
theft  of  information  which  leads  to  fraud  (identity  theft,  credit  card  fraud). 
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CERT’s  Insider  Threat  Case  Database 


Crimes  by  Category 


180 
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Sabotage 


Fraud 


Theft  of  IP 


Misc 


Espionage 
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Critical  Infrastructure  Sectors 


(CEOT 


U.S.  Cases  by  Critical  Industry  Sector 


Water 


**  This  does  not  include  espionage  cases  involving  classified  information 
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How  bad  is  the  insider  threat? 


(CEOT 
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Insider  Threat  Issue  -1 


Insiders  pose  a  substantial  threat  by  virtue  of  their 
knowledge  of,  and  access  to,  their  employers’ 
systems  and/or  databases. 

Insiders  can  bypass  existing  physical  and  electronic 
security  measures  through  legitimate  measures. 


(CEOT 
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Polling  Questions 


#  6  Has  your  organization  been  the  victim  of  an  insider  attack?  YES  /  NO 


#  7  Can  you  confidently  say  you  have  not  been  the  victim  of  an  insider  attack? 
YES  /  NO 
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2009  e-Crime  Watch  Survey 


CSO  Magazine,  USSS,  CERT  & 
Deloitte 


523  respondents 

39%  of  organizations 
have  less  than 
500  employees 

23%  of  organizations 
have  less  than 
100  employees 


Percentage  of  Participants 
Who  Experienced  an  Insider 
Incident 


(CEOT 
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2009  e-Crime  Watch  Survey  -2 


43  %  of  respondents 

Insiders  posed  the  greatest  cyber  security  threat  to  their 
organization  during  the  past  12  months 

67  %  of  respondents 

Damage  caused  by  insider  attacks  more  damaging  than 
outsider  attacks 

Most  common  insider  e-crime 

Unauthorized  access  to  /  use  of  corporate  information 

(23%) 

Theft  of  intellectual  property 

(16%) 

Theft  of  other  information  (financial  &  customer  data) 

(15%) 

Fraud 

(n%) 

Intentional  exposure  of  private  or  sensitive  data 

(n%) 

(CEOT 
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2009  E-Crime  Survey  Results  -  3 


Which  percentage  of  Electronic  Crimes  committed  by  insiders  were: 


Handled  internally 
w/o  legal  action  or 
law  enforcement 
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Insider  Crime  Profiles 
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Crime  Profile  #  1 


IT  Sabotage 


(CEOT 
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IT  Sabotage  Incidents 


An  IT  consultant  for  a  hospital  medical  supply  facility  seeks  revenge 
when  he  loses  control  of  his  company 

. ..System  administrator  sabotages  systems  on  his  way  out 


A  security  guard  at  a  U.S.  hospital,  after  submitting  resignation 
notice,  obtained  physical  access  to  computer  rooms 


...Installed  malicious  code  on  hospital  computers,  accessed  patient 
medical  records 


(CEOT 
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Insider  IT  Sabotage 

Who  did  it? 

•  Former  employees 

•  Male 

•  Highly  technical  positions 

•  Age:  17-60 


How  did  they  attack? 

•  No  authorized  access 

•  Backdoor  accounts,  shared  accounts,  other 
employees’  accounts,  insider’s  own  account 

•  Many  technically  sophisticated 

•  Remote  access  outside  normal  working  hours 


(CEOT 
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Summary  of  Findings 


IT  Sabotage 

%  of  crimes  in 
case  database 

35% 

Current  or  former 
employee? 

Former 

Type  of  position 

Technical  (e.g.  sys 
admins  or  DBAs) 

Gender 

Male 

(CEOT 
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Summary  of  Findings 


IT  Sabotage 

Target 

Network,  systems,  or 
data 

Access  used 

Unauthorized 

When 

Outside  normal 
working  hours 

Where 

Remote  access 

Recruited  by 
outsiders 

None 

Collusion 

None 

(CEOT 
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Crime  Profile  #  2 


Theft  of 


Intellectual 

Property 


(CEOT 
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Theft  of  Information  Incidents 


A  technical  operations  associate  at  a  pharmaceutical 
company  downloads  65  GB  of  information,  including  1300 
confidential  and  proprietary  documents,  intending  to  start  a 
competing  company,  in  a  foreign  country... 


Organization  spent  over  $500M  in 
development  costs 
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Theft  of  Intellectual  Property 


Who  did  it? 

•  Current  employees 

•  Technical  or  sales  positions 

•  All  male 

•  Average  age:  37 

What  was  stolen? 

•  Intellectual  Property  (IP) 

•  Customer  Information  (Cl) 

How  did  they  steal  it? 

•  During  normal  working  hours 

•  Using  authorized  access 
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Dynamics  of  the  Crime 


Most  were  quick  theft  upon  resignation 

Stole  information  to 

•  Take  to  a  new  job 

•  Start  a  new  business 

•  Give  to  a  foreign  company  or  government  organization 

Collusion 

•  Collusion  with  at  least  one  insider  in  almost  1/2  of  cases 

•  Outsider  recruited  insider  in  less  than  1/4  of  cases 

•  Acted  alone  in  1/2  of  cases 


(CEOT 
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Summary  of  Findings 


IT  Sabotage 

Theft  of 
Intellectual 
Property 

%  of  crimes  in 
case  database 

35% 

18% 

Current  or  former 
employee? 

Former 

Current 

Type  of  position 

Technical  (e.g.  sys 
admins  or  DBAs) 

Technical  (71%)  - 
scientists, 
programmers, 
engineers 

Sales  (29%) 

Gender 

Male 

Male 

(CEOT 
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Summary  of  Findings 


IT  Sabotage 

Theft  of 
Intellectual 
Property 

Target 

Network,  systems,  or 
data 

IP  (trade  secrets)  - 
71% 

Customer  Info  - 
33% 

Access  used 

Unauthorized 

Authorized 

When 

Outside  normal 
working  hours 

During  normal 
working  hours 

Where 

Remote  access 

At  work 

Recruited  by 
outsiders 

None 

Less  than  1/4 

Collusion 

None 

Almost  !/2  colluded 
with  at  least  one 
insider;  V2  acted 
alone 

(CEOT 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 


60 


Crime  Profile  #  3 


Fraud 


c.-> 
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Fraud  Incidents 


An  accounts  payable  clerk,  over  a  period  of  3  years, 
issues  127  unauthorized  checks  to  herself  an  others... 

Checks  totaled  over  $875,000 


A  front  desk  office  coordinator  stole  Pll  from  hospital... 


Over  1 100  victims  and  over  $2.8  M 
in  fraudulent  claims 
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Fraud:  Theft  or  Modification 


Most  attacks  were  long,  ongoing  schemes 


Who  did  it? 

•  Current  employees 

•  “Low  level”  positions 

•  Gender:  fairly  equal  split 

•  Average  age:  33 

What  was  stolen/modified? 

•  Personally  Identifiable  Information  (Pll) 

•  Customer  Information  (Cl) 

•  Very  few  cases  involved  trade  secrets 

How  did  they  steal/modify  it? 

•  During  normal  working  hours 

•  Using  authorized  access 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 


63 


Summary  of  Findings 


IT  Sabotage 

Theft  of  Intellectual 
Property 

Fraud 

%  of  crimes  in 
case  database** 

35% 

18% 

40% 

Current  or  former 
employee? 

Former 

Current 

Current 

Type  of  position 

Technical  (e.g.  sys 
admins  or  DBAs) 

Technical  (71%)  - 
scientists, 
programmers, 
engineers 

Sales  (29%) 

Non-technical,  low- 
level  positions  with 
access  to 
confidential  or 
sensitive 
information  (e.g. 

data  entry, 
customer  service) 

Gender 

Male 

Male 

Fairly  equally  split 
between  male  and 
female 

(CEOT 


**  Does  not  include  national  security  espionage 
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Summary  of  Findings 


IT  Sabotage 

Theft  of  Intellectual 
Property 

Fraud 

Target 

Network,  systems,  or 
data 

IP  (trade  secrets)  - 
71% 

Customer  Info  - 
33% 

Pll  or  Customer 
Information 

Access  used 

Unauthorized 

Authorized 

Authorized 

When 

Outside  normal 
working  hours 

During  normal 
working  hours 

During  normal 
working  hours 

Where 

Remote  access 

At  work 

At  work 

Recruited  by 
outsiders 

None 

Less  than  1/4 

Vz  recruited  for 
theft;  less  than  1/3 
recruited  for  mod 

Collusion 

None 

Almost  Vz  colluded 
with  at  least  one 
insider;  Vz  acted 
alone 

Mod:  almost  Vz 
colluded  with 
another  insider 
Theft:  2/3  colluded 
with  outsiders 

(CEOT 
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Common  Sense  Guide  to 
Prevention  and  Detection  of 
Insider  Threats 


http://www.cert.org/archive/pdf/CSG-V3.pdf 
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Summary  of  Best  Practices  in  CSG 


Consider  threats  from  insiders  and  business 
partners  in  enterprise-wide  risk 
assessments. 

Clearly  document  and  consistently  enforce 
policies  and  controls. 


Institute  periodic  security  awareness 
training  for  all  employees. 

Monitor  and  respond  to  suspicious  or 
disruptive  behavior,  beginning  with  the 
hiring  process. 

Anticipate  and  manage  negative  workplace 
issues. 

Track  and  secure  the  physical  environment. 


Implement  strict  password  and  account 
management  policies  and  practices. 

Enforce  separation  of  duties  and  least 
privilege. 


Consider  insider  threats  in  the  software 
development  life  cycle. 


Use  extra  caution  with  system 
administrators  and  technical  or  privileged 
users. 

Implement  system  change  controls. 


Log,  monitor,  and  audit  employee  online 
actions. 


Use  layered  defense  against  remote 
attacks. 

Deactivate  computer  access  following 
termination. 

Implement  secure  backup  and  recovery 
processes. 

Develop  an  insider  incident  response  plan. 
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Polling  Question 


#  8  Does  your  organization  have  a  dedicated  group  responsible  for  prevention, 
detection,  and  response  to  insider  incidents?  YES  /  NO 
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Publicly  Available  Information 

Reports 

Podcasts 

Insider  Threat  Study 
System  Dynamics 
E-Crime  Watch  Survey 

(http://www.cert.org/insider  threat/ ) 


(CEOT 
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Points  of  Contact 


Insider  Threat  Technical  Manager 

Randall  F.  Trzeciak 
CERT  Program 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 


Pittsburgh,  PA  15213-3890 
+1  41 2  268-7040 -Phone 
rft@cert.org  -  Email 


http://www.cert.org/insider  threat/ 


Greg  Porter 

Allegheny  Digital 
SEI  Visiting  Scientist 
Telephone:  +1  877-234-0001 
Email:  info@alleghenydigital.com 
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NO  WARRANTY 


THIS  MATERIAL  OF  CARNEGIE  MELLON  UNIVERSITY  AND  ITS  SOFTWARE  ENGINEERING 
INSTITUTE  IS  FURNISHED  ON  AN  “AS-IS"  BASIS.  CARNEGIE  MELLON  UNIVERSITY  MAKES 
NO  WARRANTIES  OF  ANY  KIND,  EITHER  EXPRESSED  OR  IMPLiED,  AS  TO  ANY  MATTER 
INCLUDING,  BUT  NOT  LIMITED  TO,  WARRANTY  OF  FITNESS  FOR  PURPOSE  OR 
MERCHANTABILITY,  EXCLUSIVITY,  OR  RESULTS  OBTAINED  FROM  USE  OF  THE 
MATERIAL.  CARNEGIE  MELLON  UNIVERSITY  DOES  NOT  MAKE  ANY  WARRANTY  OF  ANY 
KIND  WITH  RESPECT  TO  FREEDOM  FROM  PATENT,  TRADEMARK,  OR  COPYRIGHT 
INFRINGEMENT. 

Use  of  any  trademarks  in  this  presentation  is  not  intended  in  any  way  to  infringe  on  the  rights  of 
the  trademark  holder. 

This  Presentation  may  be  reproduced  in  its  entirety,  without  modification,  and  freely  distributed  in 
written  or  electronic  form  without  requesting  formal  permission.  Permission  is  required  for  any 
other  use.  Requests  for  permission  should  be  directed  to  the  Software  Engineering  Institute  at 
permission@sei.cmu.edu. 

This  work  was  created  in  the  performance  of  Federal  Government  Contract  Number  FA8721-05- 
C-0003  with  Carnegie  Mellon  University  for  the  operation  of  the  Software  Engineering  Institute,  a 
federally  funded  research  and  development  center.  The  Government  of  the  United  States  has  a 
royalty-free  government-purpose  license  to  use,  duplicate,  or  disclose  the  work,  in  whole  or  in  part 
and  in  any  manner,  and  to  have  or  permit  others  to  do  so,  for  government  purposes  pursuant  to 
the  copyright  license  under  the  clause  at  252.227-7013. 
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GET  THE  BENEFITS  OF  CERT  TRAINING 

CERT  works  to  create  an  international  workforce 
skilled  in  information  assurance  and  survivability  by 
developing  curricula  on  information  assurance  and 
security  incident  response  for  executives,  managers, 
educators,  software  engineers,  and  network 
administrators  and  front-line  system  operators. 


www.cert.org/work/training.html 


(CECT 
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ri  >  Podcasts  CfcRT’s  Podcas 


CERT's  Podcast  Series:  Sect 


CERT’s  Podcast  Series 
Secunty  for  Business  Leaders 


CERT 

Category.  Toch  V 
Language:  EngliL’ 

Free  SUBSCRIBE 


PODCAST  DESCRIPTION 


a  Name 


1  Convergence:  Integrating  Physica  . 

2  IT  Infrastructure  Tios  for  Navigat 


28: 


CERT's  Podcast  Series: 
Security  for  Business  Leaders 


www.cert.org/podcast/ 


R  O  O  CERT’s  Podcast  Series 

Ci?....'  http://www.cert.org/podcast/undockplayer.html 


Mitigating  Insider  Threat:  New  and  Improved  Practices. 

08.18.2009  -  Featuring  Dawn  Cappolli 


Analyzing  Internet  Traffic  for  Batter  Cyber  Situational  Awareness: 
0728  2009  •  Featuring  Derek  Gabbard 

Rethinking  Risk  Manage  merit: 

07.07.2009  -  Featuring  Chris  Alberts 


The  Upside  and  Downside  of  Security  in  the  Cloud: 

06. 1 6.2009  -  Featuring  Tim  Mather 

More  Targeted,  Sophisticated  Attacks:  Where  to  Pay  Attention: 
05.26.2009  -  Featuring  Marty  Undner 

I  la  Thera  Value  In  Identifying  Software  Security  "Never  Events?": 
05.05.2009  •  Featuring  Robert  Charette 

J  Cyber  Security,  Safety,  and  Ethics  for  the  Nat  Generation: 
f  04.14.2009  -  Featuring  Rodney  Petersen 

An  Experienced-Based  Maturity  Model  for  Software  Security: 

03.31 .2009  -  Featuring  Gary  McGraw 

Mainstreaming  Secure  Coding  Practices: 

03.17  2009  -  Featuring  Robert  Seaoord 

B  Security:  A  Key  Enabler  of  Business  Innovation: 

03  03  2009  -  Featuring  Roland  Cloutier 

J  Batter  Incident  Response  Through  Scenario  Based  Training: 

02.17.2009  -  Featuring  Chris  May 

An  Alternative  to  Risk  Management  for  Informat  Ion  and  Software  Security 
(19  m  arm  .  Fmtarirvi  Rrian  OhAss 


Waiting  forwww.cert.org. 
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73 


Become  an  SEI  Member! 

^  www.sei.cmu.edu/membership 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 
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For  more  than  20  years,  the  SEI  has  been 
at  the  forefront  of  software  engineering. 


By  becoming  an  SEI  Partner,  you  join  forces  with  a  software 
engineering  pioneer  and  an  institute  whose  credibility  provides 
a  solid  foundation  during  uncertain  economic  times. 

SEI  Partner  Network 

^  www.sei.cmu.edu/partners 


Software  Engineering  Institute  CarnegieMelkm  Twitter:  #seiwebinar 
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